Chinese State Hackers Using NSA Exploit Tools Against All of Us

In 1980, the British comedy group Monty Python created a video, “I Like Chinese.” We all like Chinese; except the Chinese Communist Party (CCP) – who train, encourage and promote active hacking of many, many counties. A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit developed by the US National Security Agency's Equation Group (NSA) before Microsoft patched the Windows vulnerability that was being exploited in 2017. For several years, researchers have suspected the Chinese hacking group known as APT31 or Zirconium developed an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in older versions of Windows, such as Windows 7 and Windows 8.

Check Point research recently reported how the Chinese hacking group allegedly stole, cloned and then exploited a zero-day vulnerability created by the Equation Group, which is widely believed to be tied to the NSA's elite Tailored Access Operations Team. The report also raises additional questions about how some of the NSA's most prized cyber weapons have been discovered or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had stolen and exploited cyber tools developed by the NSA.

Both the Symantec and Check Point research show that the theft of NSA Equation Group tools by these groups appears to have happened before the hacking group, known as the Shadow Brokers, first began publishing the agency's exploits in 2016. The 2016 Shadow Brokers leak provided a preview of future possible implications that a cyber theft can cause.[1]

Many important questions remain - could this have also happened before? And who is behind it and what did they use it for?" Researchers write in the report. "Our recent research aims to shed more light on this topic, and reveal conclusive evidence that such a leak did actually take place years before the Shadow Brokers leak, resulting in US developed cyber tools reaching the hands of a Chinese group which repurposed them in order to attack US targets." An NSA spokesperson declined to comment on the report in February 2021.

The latest report by Check Point not only shows the dangers of what happens when the NSA's tools are stolen by nation-state hacking groups, but also the flaws with the Vulnerabilities Equities Process, a US government program that discloses software vulnerabilities to vendors so they can be patched, says the chair of Indiana University's cybersecurity program. "The Biden administration would be well advised to take a fresh look at the US Vulnerabilities Equities Process created by the Obama administration, particularly the role played by the NSA in weighing how and when to disclose discovered vulnerabilities back to vendors. The Trump administration's decision to give the NSA a larger role in Vulnerabilities Equities Process, in particular, seems to have been ill-advised."

Security research previously noted that the APT31 hacking group first developed a zero-day exploit for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was used for two years before Microsoft finally issued a patch for it in 2017. If exploited, this bug could allow an attacker to escalate privileges within a compromised device and then gain full control, the researchers note. Microsoft published its patch for CVE-2017-0005 in March 2017, when the company was forced to issues multiple fixes for the exploits related to the Shadow Brokers' "Lost in Translation" leak. A further investigation by Check Point found that Jian was not an original creation, but a clone of a zero-day exploit for older versions of Windows developed by the NSA Equation Group in 2013 and originally called "EpMe" by the agency, according to the current report.[2]

Researcher show that the APT31 hackers gained access to both the 32-bit and 64-bit versions of the EpMe exploit more than two years before the Shadow Brokers leak become public in 2016. A module within the exploit that had similarities to DanderSpritz, a modular post-exploitation framework created by the NSA Equation Group that contains dozens of interdependent modules, according to the Check Point report. This framework also contained several zero-day exploits that targeted Windows and other Microsoft products. This includes EpMe, which is similar to Jian, as well as another zero-day exploit called "EpMo," which Microsoft patched in May 2017, although the company didn't assign a CVE number to the vulnerability.

One researcher notes that when APT31 copied that EpMe code, the hackers did not realize that the exploit had certain limitations. Jian contains several code snippets that show that its developer was not fully aware of the nature and limitations of the exploited vulnerability, such as trying to support Windows 2000 which is not even vulnerable. The researchers went on to say, "This Windows 2000 support makes sense in Equation Group's exploit as it is a shared module with another Equation Group exploit EpMo, which supports this Windows version. The futile attempt of Jian to support Windows 2000 looks like a classic case of copying code without fully understanding how it works and if it is even necessary."

What is not clear is how APT31 first obtained the source code for EpMe that it eventually refashioned into Jian. There are several possibilities, including that APT31 captured the exploit code during an Equation Group network operation on a Chinese target, or the hackers found an Equation Group operation on a third-party network, which was also being monitored by Chinese intelligence, according to the researchers. A third possibility, although more remote, is that the Chinese hackers found the zero-day exploit during an attack on Equation Group infrastructure.

A professor of electrical and computer engineering at Carnegie Mellon University, notes that when it comes to cyberespionage, these types of incidents are likely to keep happening since any exploit can be captured and studied by those it targets. "In reality, the Chinese group did the cyber equivalent of copying a movie or music file. Attacks and exploits are different from physical weapons. They are just bits on a wire, and anyone can copy them and reuse them," the professor said. "Every time the US uses an exploit, they are potentially showing others a new unknown to them capability. Similarly, every time Russia hacks the US, we may learn a new exploit."

It is also not clear which organizations APT31 may have targeted using the Jian exploit. The Check Point report notes that Lockheed Martin's Computer Incident Response Team was the first to report the vulnerability to Microsoft. The fact that the vulnerability was discovered by a defense contractor could indicate that the hacking group was planning "a possible attack against an American target," the Check Point researchers note.

The future of connected and autonomous cars is emerging, and so are the strategies needed to secure it. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported on this topic several times. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516